FortiOS v4.0 MR3 Patch Release 1 Release Notes

Release Notesv4.0 MR3

Patch Release 1

01-431-84420-20110628

FortiGate® Multi-Threat Security System

Release Notes FortiOS v4.0 MR3 - Patch Release 1

Table of Contents 1 FortiOS v4.0 MR3 – Patch Release 1 ................................................................................................................. 1

1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 1 ......................................................... 1 1.2 FortiOS to FortiClient Interoperability ....................................................................................................... 2

2 Special Notices .................................................................................................................................................... 3 2.1 General ........................................................................................................................................................ 3 2.2 UTF-8 Coding ............................................................................................................................................. 3 2.3 Captive Portal Authentication for WiFi connections .................................................................................. 3 2.4 Vritual APs in non-root VDom on a WiFi Controller ................................................................................. 3

3 Upgrade Information ........................................................................................................................................... 5 3.1 Upgrading from FortiOS v4.0 MR2 ............................................................................................................ 5 3.2 Upgrading from FortiOS v4.0 MR1 ............................................................................................................ 6

4 Downgrading to FortiOS v4.0.0 .......................................................................................................................... 9 5 Fortinet Product Integration and Support ......................................................................................................... 10

5.1 FortiManager Support ............................................................................................................................... 10 5.2 FortiAnalyzer Support ............................................................................................................................... 10 5.3 FortiClient Support .................................................................................................................................... 10 5.4 FortiAP Support ........................................................................................................................................ 10 5.5 Fortinet Single Sign On (FSSO) Support .................................................................................................. 10 5.6 AV Engine and IPS Engine Support ......................................................................................................... 11 5.7 Module Support ......................................................................................................................................... 11 5.8 SSL-VPN Support ..................................................................................................................................... 12

5.8.1 SSL-VPN Standalone Client ............................................................................................................. 12 5.8.2 SSL-VPN Web Mode ........................................................................................................................ 13

5.9 SSL-VPN Host Compatibility List ............................................................................................................ 13 5.10 Explicit Web Proxy Browser Support ..................................................................................................... 14 5.11 FortiExplorer Support ............................................................................................................................. 15

6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 1 ................................................................................. 16 6.1 Web User Interface ................................................................................................................................... 16 6.2 System ....................................................................................................................................................... 16 6.3 High Availability ....................................................................................................................................... 18 6.4 Router ........................................................................................................................................................ 18 6.5 Firewall ..................................................................................................................................................... 19 6.6 IPS ............................................................................................................................................................. 19 6.7 Web Filter .................................................................................................................................................. 20 6.8 Web Proxy ................................................................................................................................................. 20 6.9 Antispam ................................................................................................................................................... 20 6.10 VPN ......................................................................................................................................................... 20 6.11 Log & Report .......................................................................................................................................... 21 6.12 FSSO ....................................................................................................................................................... 22 6.13 WiFi ......................................................................................................................................................... 22

7 Known Issues in FortiOS v4.0 MR3 ................................................................................................................. 23 7.1 Command Line Interface (CLI) ................................................................................................................ 23 7.2 System ....................................................................................................................................................... 23 7.3 High Availability ....................................................................................................................................... 23 7.4 Firewall ..................................................................................................................................................... 23 7.5 VPN ........................................................................................................................................................... 23

i June 28, 2011


8 Image Checksums ............................................................................................................................................. 24

Change Log

Date Change Description

2011-06-28 Initial Release.

© Copyright 2011 Fortinet Inc. All rights reserved.Release Notes FortiOS™ v4.0 MR3. Patch Relase 1.

TrademarksCopyright© 2011 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com

ii June 28, 2011

https://suppport.fortinet.com/


1 FortiOS v4.0 MR3 – Patch Release 1This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR3 B0458 Patch Release 1 release. The following outlines the release status for several models.

Model FortiOS v4.0 MR3 Patch Release 1 Status

FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF-50B, FGT-60B, FWF-60B, FGT-60C, FWF-60C,

FWF-60CM, FWF-60CX-A, FGT-80C, FGT-80CM, FWF-80CM, FWF-81CM, FGT-82C, FGT-100A, FGT-110C, FGT-111C, FGT-200A, FGT-200B, FGT-200B-POE, FGT-224B, FGT-300A, FGT-310B, FGT-311B, FGT-310B-DC, FGT-400A, FGT-500A, FGT-620B, FGT-620B-DC, FGT-621B, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A-LENC, FGT-1240B, FGT-3000, FGT-3016B, FGT-3040B,

FGT-3140B, FGT-3600, FGT-3600A, FGT-3810A, FGT-3950B, FGT-3951B, FGT-5001A, FGT-5001, FGT-5001B, FGT-5001FA2, FGT-5002FB2, FGT-

5005FA2, FGT-ONE and FGT-VM.

All models are supported on the regular v4.0 MR3- Patch Release 1 branch.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR3 Patch Release 1.

1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 1The following is a brief list of the new features added in FortiOS v4.0 MR3 Patch Release 1.

• BGP AS Overrides• Central Management Locking/Unloking• Control and Mitigate Traffic Bypassing SSL Proxy• Convert Web UI Language Files To Be UTF-8 Standard • Enlarge Table Size for Firewall Address and Firewall Service on High-End Models• FMC-C20 and FMC-F20 Support• FortiClient Connect Licensing Support• FSSO Sniffer Policy Support• Geographic Destinations Chart in Default Report• GTP v1 release 7.15.0 support• GTP v1 release 8.12.0 support• Improvements of Usability on Firewall Policy configurations via Web UI• Improvements and Simplification of Local Ratings & Local Categories Settings in Web Filter Configuration• Improvements of Usability on Application Control and IPS Sensor configurations via Web UI• Improvements of Usability on Web Filter Profile configurations via Web UI• Integration of DNS Service on Interface and Server adminstration• Increase for Maximum Value of Local Users on FortiGate-50x Serial Models• Increase for MaximumValue of User Group• Quick Test Button for Remote Server Reachablilty via Web UI• Restoration of Function LDAP-Group-Check• STARTTLS Scanning Over SMTP Proxy

1 June 28, 2011

http://docs.forticare.com/fgt.html


• Web Cache Monitor via Web UI• Web Mail Logging Support• Web UI Navigation Menu Reorganization and Improvement• WiFi Controller on FortiWiFi Models Under Client Mode

1.2 FortiOS to FortiClient Interoperability

The release of FortiOS v4.0 MR3 Patch Release 1 introduces support for FortiClient Connect v4.0 MR3. Support for this client software requires a license key to be installed on the FortiGate device. This license key is based on concurrent connection usage and up to 10 clients can be used without a license key. Additional licenses may be obtained from your Fortinet sales representative or local Fortinet reseller.

Version Requirement

FortiOSv4.0 MR3 Patch Release 1

FortiClient Connectv4.0 MR3

Licensed ConnectivityOne concurrent IPSec connection established through FortiClientOne concurrent End-Point control connectionOne concurrent SSL-VPN connection established through FortiClient

Note: End-Point control connections established through an IPSec connection count as two concurrent connections.

2 June 28, 2011

2 Special Notices

2.1 GeneralThe TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings for Web User Interface Access

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.

BEFORE any upgrade

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens.

• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

2.2 UTF8 EncodingThe CLI and Web UI in FOS v4.0 MR3 Patch Release 1 employ the UTF-8 encoding scheme for configuration objects. As such, configuration objects prior to upgrading that are longer than 2 bytes, may not be displayed well. To remedy this issue, users should reduce the length of names used for configuration objects before upgrading.

2.3 Captive Portal Authentication for WiFi connectionsCaptive Portal Authentication for wifi connections are not supported when a wifi interface is a member of a soft-switch interface.

2.4 Vritual APs in nonroot VDom on a WiFi ControllerThis section applies to FortiWiFi models ONLY.

FortiWiFi models can act as a Wireless controllers from FortiOS 4 MR3 as an enhancement. A FortiWiFi model will be the default WiFi controller for its own wireless inteface. As such, when wireless interface is running under AP mode and there are APs configured and running in non-root VDoms, those APs could stop working upon upgrade. To workaround this issue, either to use a second FortiGate/FortiWiFi model to act as WiFi controller or change all APs to be working in root VDom.

3 June 28, 2011

4 June 28, 2011


3 Upgrade Information

3.1 Upgrading from FortiOS v4.0 MR2FortiOS v4.0 MR3 - Patch Release 1 officially supports upgrade from the FortiOS v4.0 MR2 Patch Release 4 or later. See the upgrade path below.

[FortiOS v4.0 MR2]The upgrade is supported from FortiOS v4.0 MR2 Patch Release 4 B0313 or later.

v4.0 MR2 Patch Release 4 B0313 (or later)↓

v4.0 MR3 Patch Release 1 B0458 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[DDNS]DDNS config under interface are moved to global mode “config system ddns” after upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[DNS Server] “dns-query recursive/non-recursive” option under specific interface are moved to system level per VDom mode and “config system dns-server” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[Ping Server]“gwdetect” related configurations under specific interface has been moved to under router per VDom mode. “config router gwdetect” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[Central-management]“set auto-backup disable” and “set authorized-manager-only enable” configurations under “config system central-management” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[SNMP community]A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[Modem Settings]“wireless-custom-vendor-id”and “wireless-custom-product-id” are moved from “config system modem” to “config system 3g-modem custom” upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[AMC slot settings]The default value of ips-weight under config system amc-slot will be changed from balanced to less-fw after upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[Wireless radio settings]wireless radio settings except SSID, Security Mode, Authentication settings will be lost after upgrade. Workaround is put into Special Notice Section.

5 June 28, 2011


[Web filter overrides]The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch Release 4 B0313 to FortiOS v4.0 MR3 - Patch Release 1.

[Firewall policy settings]If the source interface or destination interface set as amc-XXX interface, the default value of ips-sensor under config firewall policy will changed from all_default to default after upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[URL Filter]The “action” options in urlfilter configuration have been changed from “Allow, Pass, Exempt, Block” to “Allow, Monitor, Exempt, Block”. Action “Allow” will not report log in v4.3.1. New action “Monitor” will act the function as allow with reporting log. Action “Pass” in v4.2 has been merged to “Exempt” in v4.3.1 and the CLI command has been changed from “set action pass” to “set exempt pass”.

[FortiGuard Log Filter]The settings of “config log fortiguard filter” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[FortiGurar Log Setting]The options “quotafull” and “use-hdd” in “config log fortiguard setting” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

3.2 Upgrading from FortiOS v4.0 MR1FortiOS v4.0 MR3 - Patch Release 1 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 9 or later. See the upgrade path below.

[FortiOS v4.0 MR1]The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0213 Patch Release 9 or later.

v4.0 MR1 Patch Release 9 B0213 (or later)↓

v4.0 MR3 Patch Release 1 B0458 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[Network Interface Configuration]If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR3 - Patch Release 1 the ips-sniffer-mode setting will be changed to disable.

[Traffic shaping]The Unit of guaranteed-bandwidth,inbandwidth, outbandwidth and maximum-bandwidth of traffic shaping has been changed from kilo-bytes/sec to kilo-bits/sec after upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[System Autoupdate Settings]The default values of config system autoupdate schedule will be changed from disable to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 1.

6 June 28, 2011


[DHCP Server]The name of DHCP Server are replaced with entry number. The “start-ip” and “end-ip” are changed to “config ip-range” under DHCP Server after upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[DDNS]DDNS config under interface are moved to global mode “config system ddns” after upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[DNS Server] “dns-query recursive/non-recursive” option under specific interface are moved to system level per VDom mode and “config system dns-server” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[Ping Server]“gwdetect” related configurations under specific interface has been moved to under router per VDom mode. “config router gwdetect” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[Central-management]“set auto-backup disable” and “set authorized-manager-only enable” configurations under “config system central-management” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[SNMP community]A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[Modem Settings]“wireless-custom-vendor-id”and “wireless-custom-product-id” are moved from “config system modem” to “config system 3g-modem custom” upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[IPS DoS sensor log setting]The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR3 - Patch Release 1. Whether the log stetting of an IPS DoS sensor is disable or enable on FortiOS v4.1.9 or any subsequent patch, after upgrading to FortiOS v4.0 MR3 - Patch Release 1, the setting will be set to disable.

[IPS sensor log setting]The log setting of IPS sensors is enable by default on FortiOS v4.0 MR3 - Patch Release 1. If the log setting of an IPS sensor is disabled on FortiOS v4.1.9 or any subsequent patch, the value will be kept after upgrading to FortiOS v4.0 MR3 - Patch Release 1. If the log setting of an IPS sensor is enable or default on FortiOS v4.1.9 or any subsequent patch, the value will be changed to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[DLP Rule]A DLP rule with subprotocol setting set to sip simple sccp will be lost upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

7 June 28, 2011


[Web Filter & Spam Filter]The name webfilter-status and spamfilter-status have been change to webfilter-force-off and antispam-force-off. The default values is set to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 1. To use web filter and spam filter, users have to disable the two entries by using the following CLI command:

config system fortiguard set webfilter-force-off disable set antispam-force-off disableend

[URL Filter]The “action” options in urlfilter configuration have been changed from “Allow, Pass, Exempt, Block” to “Allow, Monitor, Exempt, Block”. Action “Allow” will not report log in v4.3.1. New action “Monitor” will act the function as allow with reporting log. Action “Pass” in v4.2 has been merged to “Exempt” in v4.3.1 and the CLI command has been changed from “set action pass” to “set exempt pass”.

[FortiGurar Log Filter]The settings of “config log fortiguard filter” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

[FortiGurar Log Setting]The options “quotafull” and “use-hdd” in “config log fortiguard setting” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 1.

8 June 28, 2011


4 Downgrading to FortiOS v4.0.0Downgrading to FortiOS v4.0.0 GA (or later) results in configuration loss on ALL models. Only the following settings are retained:

• operation modes• interface IP/management IP• route static table• DNS settings• VDom parameters/settings• admin user account• session helpers• system access profiles

9 June 28, 2011


5 Fortinet Product Integration and Support

5.1 FortiManager SupportFortiOS v4.0 MR3 - Patch Release 1 is supported by FortiManager v4.0 MR3.

5.2 FortiAnalyzer SupportFortiOS v4.0 MR3 - Patch Release 1 is supported by FortiAnalyzer v4.0 MR3.

5.3 FortiClient SupportFortiOS v4.0 MR3 - Patch Release 1 is fully compatible with FortiClient v4.0 MR2 Patch 3.

FortiOS v4.0 MR3 - Patch Release 1 is supported by FortiClient v4.0 MR3 for the following:

• 32-bit version of Microsoft Windows XP • 32-bit version of Microsoft Windows Vista • 64-bit version of Microsoft Windows Vista• 32-bit version of Microsoft Windows 7 • 64-bit version of Microsoft Windows 7

5.4 FortiAP SupportFortiOS v4.0 MR3 - Patch Release 1 supports the following FortiAP models:

• FortiAP-210B• FortiAP-220A• FortiAP-220B• FortiAP-222B

The FortiAP devices must be running FortiAP v4.0 MR3.

5.5 Fortinet Single Sign On (FSSO) SupportFortiOS v4.0 MR3 - Patch Release 1 is supported by FSSO v3.00 B068 (FSSO collector agent 3.5.068) for the following:

• 32-bit version of Microsoft Windows 2003 R1 Server • 64-bit version of Microsoft Windows 2003 R1 Server• 32-bit version of Microsoft Windows 2008 R1 Server • 64-bit version of Microsoft Windows 2008 R1 Server• 64-bit version of Microsoft Windows 2008 R2 Server• Novell E-directory 8.8.

IPv6 currently is not supported by FSSO.

5.6 AV Engine and IPS Engine SupportFortiOS v4.0 MR3 - Patch Release 1 is supported by AV Engine 4.00257 and IPS Engine 1.00231.

10 June 28, 2011


5.7 Module SupportFortiOS v4.0 MR3 - Patch Release 1 supports AMC removable modules. These modules are not hot swappable. The FortiGate must be turned off before the module is inserted or removed.

AMC Modules FortiGate Support

Internal Hard Drive (ASM-S08) FGT-310BFGT-620BFGT-621BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Internal Hard Drive (FSM-064) FGT-200BFGT-311BFGT-1240BFGT-3040BFGT-3140BFGT-3951B

Single Width 4-port 1Gbps Ethernet interface (ASM-FB4) FGT-310BFGT-311BFGT-620BFGT-621BFGT-1240BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) FGT-3810AFGT-5001A-DW

Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) FGT-3810AFGT-5001A-DW

Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2) FGT-310BFGT-311BFGT-620BFGT-621BFGT-1240BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Single Width 4-port Ethernet bypass interface (ASM-CX4) FGT-310BFGT-311BFGT-620BFGT-621B

FGT-1240B FGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

AMC Security Processing Engine Module (ASM-CE4) FGT-1240B

11 June 28, 2011


AMC Modules FortiGate Support

FGT-3810AFGT-3016B

FGT-5001A-SW

AMC Security Processing Engine Module (ADM-XE2) FGT-3810AFGT-5001A-DW

AMC Security Processing Engine Module (ADM-XD4) FGT-3810AFGT-5001A-DW

AMC Security Processing Engine Module (ADM-FE8) FGT-3810A

Rear Transition Module (RTM-XD2) FGT-5001A-DW

Four Port T1/E1 WAN Security Processing Module (ASM-ET4) FGT-310BFGT-311B

Rear Transition Module (RTM-XB2) FGT-5001A-DW

Fortinet Mezzanine Card (FMC-XG2) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-XD2) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-F20) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-C20) FGT-3950BFGT-3951B

5.8 SSLVPN Support

5.8.1 SSLVPN Standalone Client

FortiOS v4.0 MR3 - Patch Release 1 supports the SSL-VPN tunnel client standalone installer B2143 for the following:

• Windows in .exe and .msi format• Linux in .tar.gz format• Mac OS X in .dmg format• Virtual Desktop in .jar format for Windows 7, XP, and Vista

The following Operating Systems are supported.

Windows Linux Mac OS X

Windows XP 32-bit SP2 CentOS 5.2 (2.6.18-el5) Leopard 10.6.3

Windows XP 64-bit SP1 Ubuntu 8.0.4 (2.6.24-23)

Windows Vista 32-bit SP1


Windows 7 32-bit

Windows 7 64-bit

Virtual Desktop Support

12 June 28, 2011


Windows XP 32-bit SP2


Windows 7 32-bit

5.8.2 SSLVPN Web ModeThe following browsers and operating systems are supported by SSL-VPN web mode.

Operating System Browser

Windows XP 32-bit SP2 IE7, IE8, IE9 and FF 3.6

Windows XP 64-bit SP1 IE7, IE9 and FF 3.6

Windows Vista 32-bit SP1 IE7, IE8, IE9 and FF 3.6

Windows Vista 64-bit SP1 IE7, IE9 and FF 3.6

Windows 7 32-bit IE8 , IE9 and FF 3.6

Windows 7 64-bit IE8, IE9 and FF 3.6

CentOS 5.2 (2.6.18-el5) FF 1.5 and FF 3.0

Ubuntu 8.0.4 (2.6.24-23) FF 3.0

Mac OS X Leopard 10.5 Safari 4.1

5.9 SSLVPN Host Compatibility ListThe following Antivirus and Firewall client software packages are supported.

Product Antivirus Firewall

Windows XP

Symantec Endpoint Protection v11 √ √

Kaspersky Antivirus 2009 √ Ҳ

McAfee Security Center v8.1 √ √

Trend Micro Internet Security Pro √ √

F-Secure Internet Security 2009 √ √


Windows 7 (32bit)

CA Internet Security Suite Plus Software

√ √

AVG Internet Security 2011 Ҳ Ҳ

13 June 28, 2011




Kaspersky Internet Security 2011 √ √

McAfee Internet Security 2011 √ √

Norton 360™ Version 4.0 √ √

Norton™ Internet Security 2011 √ √

Panda Internet Security 2011 √ √

Sophos Security Suite √ √

Trend Micro Titanium Internet Security

√ √

ZoneAlarm Security Suite √ √

Symantec Endpoint Protection Small Business Edition 12.0

√ √


Windows 7 (64bit)

CA Internet Security Suite Plus Software

√ √

AVG Internet Security 2011 Ҳ Ҳ


Kaspersky Internet Security 2011 √ √

McAfee Internet Security 2011 √ √

Norton 360™ Version 4.0 √ √

Norton™ Internet Security 2011 √ √

Panda Internet Security 2011 √ √

Sophos Security Suite √ √

Trend Micro Titanium Internet Security

√ √

ZoneAlarm Security Suite √ √

Symantec Endpoint Protection Small Business Edition 12.0

√ √

5.10 Explicit Web Proxy Browser SupportThe following browsers are supported by Explicit Web Proxy feature.

Supported Browser

Internet Explorer 7

Internet Explorer 8

14 June 28, 2011


FireFox 3.x

5.11 FortiExplorer SupportFortiOS v4.0 MR3 - Patch Release 1 is supported by FortiExplorer 1.3.1205.

15 June 28, 2011


6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 1The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about aparticular bug, contact Customer Support.

6.1 Web User InterfaceDescription: VLAN interfaces fail to be appeared on network page in specific VDom if VLAN interface and its binding physical interface do not belong to the same VDom.Bug ID: 140671Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Browser will be crashed when “Append Signature Text” is configured under “Protocol Options”. Bug ID: 141751Status: Fixed in v4.0 MR3 - Patch Release 1.

6.2 SystemDescription: FortiGate may drop connections when AV database update is performed.Bug ID: 123389Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Firewall will send multiple authentication requests to Radius/LDAP server if a user to be authenticated matches multiple identify based firewall policies.Bug ID:126523, 140246Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Daemon Proxyworker may hog memory and cause FortiGate into conserve mode.Bug ID: 141174Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: IPSec tunnel interface on FortiGate-30B can not be edited. Model Affected: FortiGate-30BBug ID: 137876Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A VoIP profile was added by default after upgrade from FortiOS 4 MR1 and may cause VIP occasionally stop working.Bug ID: 139419Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: User may fail to add interfaces into a zone in TP mode and error message “Interfaces in a zone must have the same forward_domain id in TP mode” via CLI.Bug ID: 141011Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Some SNMP settings may cause FortiGate to take longer to boot up.Bug ID: 134274Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Aggregation interface failed to turn back on after it was turned down.Bug ID: 141502Status: Fixed in v4.0 MR3 - Patch Release 1.

16 June 28, 2011


Description: Multiple fixes on SNMP.Bug ID: 139872, 140308, 141026, 141088, 141384Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Critical event logs with same Log ID 20057 were generated during bootup on some FortiGate models.Bug ID: 141502Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Policy-id number could be invalid occasionally via CLI when “diagnose debug flow” command was running.Model Affected: 64-bit FortiGate modelsBug ID: 142408Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: SSL daemon kept crashed and CPU usage spiked when large SSL VPN users connected.Model Affected: FortiGate models that support CP6 acceleratorBug ID: 131420Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: All sFlow sample on modem interface cannot be parsed by an analyzer or packet capture software.Bug ID: 140361Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A 10G interface link is up when only Tx link is connected to switch.Model Affected: FortiGate models that support XLR cardBug ID: 134805Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A message that included “User unknown rebooted the device from fgfmd” may be occured at console during upgrade process when FortiGate received firmware upgrading request from FortiManager.Bug ID: 132559Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: WAD daemon kept crashed on FortiGate models that not support WANOPT.Bug ID: 142699Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Management IP failed to response Ping request via an interface which 'peer-interface' option was enabled under TP mode.Bug ID: 143024Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: FortiGates might fail to contact FortiGuard servers occasionally after reboot.Bug ID: 144162Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: FortiGate might drop RST packet rarely during TCP handshake.Bug ID: 144569Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: DSCP value was not kept when traffic was offload on XG2 interface.Model Affected: FortiGate models that support XLR interfacesBug ID: 143683Status: Fixed in v4.0 MR3 - Patch Release 1.

17 June 28, 2011


Description: Speed settings on WAN interface fail to take effect.Model Affected: FortiGate-30BBug ID: 138556Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Vlan interface might stop working on mgmt interfaces.Model Affected: FortiGate-3950B, FortiGate-5001BBug ID: 143720Status: Fixed in v4.0 MR3 - Patch Release 1.

6.3 High AvailabilityDescription: Sessions could be lost during upgrade when IPSec VPN used.Model Affected: FortiGate models that support NP2 interfacesBug ID: 141125Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: 'source-ip' parameter in Syslog and SNMP configurations may not be effective for all messages during failover.Bug ID: 141098Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: The access to HA management interface can not be restricted completely by trusthost settings. Bug ID: 141465Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A Vdom-Link might fail to be created in Virtual Cluster environment via Web UI.Bug ID: 134486Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: HA cluster may fail to synchronize when an entry in an URL filter is deleted.Bug ID: 143090Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: FortiGate-5001A unexpectedly freeze in an A-A cluster environment. Model Affected: FortiGate-5001ABug ID: 144537Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: HA Management IP can not be accessed by an IP which fall into an IP range configured in trusthost settings.Bug ID: 144002Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: HA management interface settings on slave were unexpectedly synchronized with master's when configurations were restored.Bug ID: 138673Status: Fixed in v4.0 MR3 - Patch Release 1.

6.4 RouterDescription: Floating static routes fail to work correctly with RIP when redistribution of static routes is enabled. Bug ID: 130176 Status: Fixed in v4.0 MR3 - Patch Release 1.

18 June 28, 2011


Description: The auto-cost of a vlan interface in OSPF is not set properly. Bug ID: 141151 Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Some BGP peers may fail to be established occasionally when hundreds of BGP peers are configured.Bug ID: 141301Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: AS number was repeatedly added when “set-aspath” parameter was applied in BGP configurations.Bug ID: 138613Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A few BGP routes might not be installed correctly under rare circumstance.Bug ID: 144710Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Stale routes may fail to be remove from BGP routing table when peer changed restart mode to non-graceful.Bug ID: 144403, 144703Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Multicast routing table failed to reflect the changes when an interface were recovered.Bug ID: 145704Status: Fixed in v4.0 MR3 - Patch Release 1.

6.5 FirewallDescription: Firewall Policies were lost after upgrade from 4.2.4.Model Affected: FortiWiFi-60CBug ID: 141553Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: TCP split-handshake attack is not blocked by FortiGate with default settings.Bug ID: 139367Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Users may fail to configure IPv6 Firewall Address Group recursively.Bug ID: 139598Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Users may fail to upload picture to Facebook when Deep Scanning option is enabled.Bug ID: 143628Status: Fixed in v4.0 MR3 - Patch Release 1.

6.6 IPSDescription: IPS database updates could trigger FortiGate into conserve mode for a few seconds.Bug ID: 139625Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Traffic might experience a short period delay when IPS definition is updating. Bug ID: 134797Status: Fixed in v4.0 MR3 - Patch Release 1.

19 June 28, 2011


6.7 Web FilterDescription: Multiple fixes for Web Filter. Bug ID: 139361, 140044, 142279Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: There shall be a message to notify user when FortiGuard Web Filter Quota was exceeded.Bug ID: 142596Status: Fixed in v4.0 MR3 - Patch Release 1.

6.8 Web ProxyDescription: HTTPS URL filtering does not work properly with explicit proxy.Bug ID: 123801Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Deep Scan may prevent some web sites from login page displayed.Bug ID: 131763Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: HTTP proxy may terminate http session prematurely when the session has a slow connection. Bug ID: 140917Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Large over-size file may fail to be uploaded through Web Proxy when 'Server Comfort' is enabled and connection is slow.Bug ID: 145008Status: Fixed in v4.0 MR3 - Patch Release 1.

6.9 AntispamDescription: An user may not see next page in BWL list if BWL has more than one page entries. Bug ID: 142682Status: Fixed in v4.0 MR3 - Patch Release 1.

6.10 VPNDescription: MS Office Communicator Web Access mode may fail to be accessed under SSL VPN web mode.Bug ID: 134620Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Java applet based Web Application RDP window may be crashed via SSL VPN portal after minutes.Bug ID: 138309, 139087Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: SSL VPN daemon may keep crashing and CPU and Memory usage may hike when a number of firewall policies configured.Bug ID: 131420Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: An IKE v2 IPSec VPN tunnel may fail to be established when more than one Phase2 are used for one Phase1.Bug ID: 141574Status: Fixed in v4.0 MR3 - Patch Release 1.

20 June 28, 2011


Description: A SSL VPN local user with LDAP password may not be authenticated to correct LDAP group when multiple groups were configured in the Identity Based firewall policy. Bug ID: 140924Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A XML website may fail to be accessed via SSL VPN web portal. Bug ID: 138748Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: “auto-negotiate” shall be enabled to avoid flapping when monitor-interface option is used for redundancy purpose on multiple IPSec Phase1 interfaces. Bug ID: 141897Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Some websites might not be accessed normally via SSL VPN web mode.Bug ID: 139012Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: An IPSec VPN client on Windows 7 PC may fail to connect when Sub-CA certificate is used.Bug ID: 141841Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Unnecessary NATed IP address may fail IPSec negotiation in Phase 1 when policy-based IPSec tunnel is configured and 'nat ip' option is enabled with same IP address of the binding interface.Bug ID: 141160Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A GRE tunnel may fail to be established on 64-bit FortiGate models.Model Affected: 64-bit FortiGate modelsBug ID: 142858Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A SSL VPN user may fail to be authenticated via an LDAP server if the user belongs to a number of groups.Bug ID: 140827Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: IPSec tunnel might fail after a while when two FortiGate were in the same subnet and running in TP mode.Bug ID: 141748Status: Fixed in v4.0 MR3 - Patch Release 1.

6.11 Log & ReportDescription: Some models may fail to produce charts in report.Bug ID: 141279Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: 'logtraffic-app' option is disabled by default when a new firewall policy is created via Web UI.Bug ID: 140660Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: A wrong log ID needs to be corrected in FortiGuard Web Filtering Warning logs. Bug ID: 141123Status: Fixed in v4.0 MR3 - Patch Release 1.

21 June 28, 2011


Description: Improvements and corrections on FTP content log.Bug ID: 141501, 139241, 131630Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Log Event Filter settings were lost after upgrade.Bug ID: 139828Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Packet log to FAZ does not work in IDS One Arm mode if no firewall policy was configured.Bug ID: 133019Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: IM Contents was logged mistakenly when only Content Summary is selected.Bug ID: 128191Status: Fixed in v4.0 MR3 - Patch Release 1.

6.12 FSSODescription: Directory Service configured with DNS name might not be working properly after reboot FortiGate.Bug ID: 140408Status: Fixed in v4.0 MR3 - Patch Release 1.

Description: Users may fail to be removed from LDAP group on FortiGate.Bug ID: 142680Status: Fixed in v4.0 MR3 - Patch Release 1.

6.13 WiFiDescription: Upgrade to 4.3 will be failed if WLAN interface is a member of soft-switch.Bug ID: 140988, 140512, 140893Status: Fixed in v4.0 MR3 - Patch Release 1.

22 June 28, 2011


7 Known Issues in FortiOS v4.0 MR3This section lists the known issues of this release, but is NOT a complete list. For inquiries about a particular bug notlisted here, contact Customer Support.

7.1 Web UIDescription: Configuration objects that exceed 2-bytes from use in multi-byte language encodings fail to display upon upgrading to FortiOS v4.0 MR3 Patch Release 1.Bug ID: 147484Status: Please refer to Section 2.2 UTF-8 Encoding.

7.2 Command Line Interface (CLI)Description: An error message “Policy denies URLs when a rating error occurs” may be display via console when web traffic was filtered by FortiGuard Web Filter service but failed to rate the website or failed to reach FortiGuard Server.Bug ID: 147529Status: To be fixed in a future release.

7.3 SystemDescription: FortiGate-One crashed when create a vlan interface.Model Affected: FortiGate-OneBug ID: 147718Status: To be fixed in a future release.

7.4 High AvailabilityDescription: Merged_daemon could spike CPU usage and SYN packets were flooding to FortiAnalyzer's IP which could cause other devices from passing traffic.Bug ID: 147035Workaround: Use the CLI command “diag sys top” to identify if Merged_daemon is causing CPU spike and use CLI command “diag sys kill 9 xx” to restart the daemon.Status: To be fixed in a future release.

7.5 FirewallDescription: SMTPS, POPS AND IMAPS traffic were not processed by the configured dynamic profile.Bug ID: 147498Status: To be fixed in a future release.

7.6 VPNDescription: Option “mode-cfg” was turn on by default and thus can cause phase1 mismatch during tunnel initialization when interface mode IPSec Phase1 was configured via Web UI.Bug ID: 146113Workaround: Use the CLI command “config vpn ipsec phase1-interface>set mode-cfg disable” to disable it.Status: To be fixed in a future release.

23 June 28, 2011


8 Image ChecksumsThe MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame.

(End of Release Notes.)

24 June 28, 2011

Documents

FortiOS v4.0 MR3 Patch Release 1 Release Notes